Enable auth backend without root token


Is it possible to have a policy that allows enabling auth backend?

Any path I authorize (auth/*, sys/auth/*, …) results in 403.

I have the feeling that enabling a auth method is only possible for root token, anyone can confirm that?

No, you don’t need a root token for this.

You do need a policy like this, though:

path "sys/auth/*" {
  capabilities = ["read", "update", "delete", "sudo"]

Select Vault configuration endpoints require the sudo capability in addition to the regular capability for the operation.

The purpose of this restriction seems to be to force the policy author to explicitly confirm they intend the policy to grant access to a sensitive administrative operation.

I’m not sure whether this actually accomplishes that, as there are plenty of sensitive administrative endpoints in Vault that don’t require sudo - like for example configuring an existing auth backend via auth/* APIs… so I doubt it’s actually an effective security control - but it’s probably what’s stopping you invoking sys/auth/* operations.